Cisco Files Suit to Gag Researcher, Security Conference

By Paul F. Roberts |
Posted 07-27-2005

Cisco Systems and Internet Security Systems have asked a U.S. District Court to issue a restraining order against a former ISS researcher and Black Hat over the leak of information about security holes in Cisco's Internetwork Operating System.

On Wednesday, Black Hat organizers announced that a planned talk on the IOS hole would be cancelled, prompting Lynn to resign his position at ISS (Internet Security Systems Inc.) and give the talk anyway, to a packed audience of security experts and hackers.

According to Lynn, flaws in IOS could allow attackers to use existing "heap overflow" vulnerabilities to take control of Cisco routers running IOS.

In heap overflow attacks, chunks of data are sent to vulnerable systems that cause areas of the device's memory to be overwritten with code of the attacker's choosing.

The technique developed by Lynn would give remote attackers access to the IOS "shell," from which the attacker could control the device. With control of a Cisco router running IOS, for example, attackers could control or snoop on the content of network traffic passing through the device, Lynn said.

While the strategy does not involve new security vulnerabilities in IOS, it provides a way for malicious hackers to amplify the affect of known heap overflows, a Cisco spokesperson said.

By reverse-engineering IOS code, Lynn found a way to disable a process called "check heap" that is designed to detect such irregularities, and used an older exploit, known as an "uncontrolled pointer exchange," to gain control of IOS systems.